Security policy

Our security policy aims to protect sensitive company and customer data, prevent unauthorized access, ensure traceability of actions and guarantee regulatory compliance, particularly with Canadian requirements. It is a living, evolving document. 


Wherever possible, we favor hosting information in a data center located in Canada. Data identified as sensitive by our customers is always stored and processed exclusively in Canada.

Access Management and Authentication

Fundamental principles

  • Principle of least privilege: Each user has access only to the resources required for his or her tasks.
  • Multifactor authentication (2FA) mandatory on all services where available (in progress)
  • Exclusive use of nominative accounts (shared accounts are prohibited, with approved exceptions)
  • Strict separation of environments (development, staging, production)

Communications & Infrastructure Security

Data encryption

  • HTTPS communications mandatory for all web services with valid SSL certificates
  • Cloudflare as the leading security solution for protecting and optimizing web services
  • Mandatory encryption of data at rest and in transit

Secret management

  • Strict ban on storing secrets in source code or on workstations
  • Use ofwell-known secret management tools (GitHub Secrets, 1Password, dedicated cloud services)

Development and Source Code

  • Static code analysis to detect security risks and dependency vulnerabilities
  • Automatic repository scanning to detect secret leaks

Artificial intelligence

  • Use of private LLMs whenever possible (dedicated GPT instances, Claude in Azure or AWS)
  • Avoid exposure of sensitive datato public IA services

Equipment and Work Environment

  • Ongoing evaluation of secure VPN solutions (Cloudflare, Twingate, Tailscale etc.).
  • Restricting external storage devices

Access lifecycle

Onboarding

Documented access allocation procedure

Mandatory safety policy training with signature

Maintenance

Regular audit of all accesses

Checking the relevance of access according to current roles

Offboarding

Immediate revocation of access on departure

Deactivation checklist followed by IT team

Our projects are adapted to safety requirements